185f28a3b4
This change updates the default policies implemented in Heat, to follow the updated guideline[1] to implement SRBAC. The main change is that system users are no longer allowed to perform any operations about project-level resources like stacks, while project admin(*1) is still allowed to perform operations about project-level resources BEYOND project (like getting stacks for all projects by list stacks API). [1] https://governance.openstack.org/tc/goals/selected/consistent-and-secure-rbac.html#direction-change This also adds the test cases to validate reader role which was almost implemented in heat. (*1) If Keystone has an admin project defined, Heat checks an additional requirement that request context is scoped by that admin project. Change-Id: I943b3c1ce021cc05445b73fbc342b8386cf5bf6a |
||
---|---|---|
.. | ||
aws | ||
cfn | ||
middleware | ||
openstack | ||
__init__.py | ||
versions.py |